Cyber security top CIO concern as Coats re-lists on London Stock Exchange

When manufacturing firm Coats relisted on the London Stock Exchange in February - 125 years after the UK firm's initial listing - global CIO Richard Cammish had one topic at the front of his mind: security.

"We are now a public company again, therefore our risk profile has increased," says Cammish.

"Cyber security has, over the past few years, become very visible to executives of all companies. It is a fact that internet-based technologies have become more pervasive, and communications are now boundary-less.

"The ability for cyber criminals to target public companies means you clearly need to have a much more robust approach to cyber security."

Coats is one of the world's leading manufacturers of thread used in everything from clothing and footwear - one of its large clients is Adidas - to upholstery and mattresses.

Its operations span 70 countries, with factories spread spread across the world - mostly in Asia but also in Europe, the US and Latin America - with a total staff headcount of 20,000, of which 7,000 are regular IT users.

One of the challenges for the firm is managing security controls for its disparate workforce.

Cammish - who reports directly to Coats chief executive and leads security practices - highlights the escalating threat level since the company went private in 2003. This has been exacerbated by global interconnectedness and the rise of sites such as Facebook, Twitter and others.

"If people are on social networks, whether it's personal or corporate, the outcome is the same; you are exposing yourself to seven billion people that live on this planet, and some of those are quiet nasty people," says Cammish.

"They could use you to infections and you could bring those back into your organisation and it could cause business process disruption or it could lead to a breach of security in our finance systems."

A recent analysis of the 2015 CIO 100 revealed that more than half of IT leaders had experience a cyber intrusion in the past year, with heightened awareness leading to a subsequent increase in security budgets. Although Coats has not fallen victim of a major cyber attack the company has kicked off a multi-year security project to improve network defences across its business and fend-off cyber attacks.

"We have got wall-to-wall virus checking, which is endpoint devices, we have got monitoring of our networks, and we will be putting in other tools as we see fit as part of our three-year cyber security roadmap."

A major part of this strategy has been to deploy network monitoring and web-filtering tools from security startup Zscaler.

Cammish says Zscaler has helped the firm manage the growing malware threat witnessed by the company. Last month 250,000,000 interactions with the internet were recorded. Of these, around 600,000 activities or transactions involved malware.

The rollout of the tools has been a success, Cammish contends, and helped address the risk the business faces. "We have been able to identify the flow of traffic, blocked all of this malware coming in, but we have also been able to see who is accessing what, what has been blocked, and it just allows us to tune our internet access."

He adds that it has aided central management of security protocols across the various parts of its operations: "The key benefit of having a web filtering technology is that we can segment our user based so we can have quite aggressive controls for people that just need to check the internet for basic information, for senior manager and executives we can have a different control regime.

"It is not one size fits all, we do have a black listing/white listing process where we can now manage centrally, whereas before we had no idea who was accessing what.

"I can sleep more easily at night knowing that we have put in a control protocol that is consistent."

It has not all been plain-sailing however. Cammish says that there was initial reluctance within the organisation when faced with new security measures.

"Because it was quite a quick rollout of the cloud service there was a lot of resistance and a lot of complaints in the early days. People were getting the Zscaler pop-up window, they were getting blocked out of sites that they were previously able to access. And it is fair to say when you are going though the roll out process you do need to fine tune the black list and white list.

"When people were blaming the product I actually intervened in some of these conversations and said I am usually quite accommodating, but I will make no apologies for what we are doing with Zscaler. My neck is on the line when it comes to cyber security, and if we have a major cyber security breach, I lose my job.

"That is why it is of absolute interest to me to apply standards consistently across the organisation."

Investment in software tools is not a panacea for improving security, however, and the company investing in a cyber security awareness programme for all its 7,000 users, he says.

"That is because you can put in as much technology and process as you like, but your weakest link can be people. A classic example would be an email that looks like a bona fide email, but if you look closely it has a few ambiguities - it is a phishing attack. People need to keep their wits about them."